Path promises fix for grabbing geolocation data from photos

Security researcher says Apple can also do better at preventing privacy leaks.

Just as Path was trying to put its privacy woes behind it, a security researcher has caught the social network taking new liberties with personal information stored on iPhones and iPads. Path developers have submitted an update that fixes the problem, which they only became aware of today, officials at the company said.

Path's iOS app was found copying geographic locations embedded in photos and pasting them into user posts—even when location services have been disabled. This is according to a blog post published Friday by Jeffrey Paul, a self-described hacker and security researcher living in Berlin. He characterized the behavior as exploiting a loophole, since it allows Path to regularly keep tabs of users' locations, even when they have taken pains to keep that data private.

"This is surely terrible form on Path's part," Paul wrote.

In a comment responding to the post, a Path official thanked Paul for bringing the behavior to the company's attention. At the time, he didn't say how soon an updated app would be available for download.

"One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data," Path Product Manager Dylan Casey wrote. "This only affected photos taken with the Apple Camera and imported into Path."

Paul's post came hours after the US Federal Trade Commission said Path would pay $800,000 to settle charges that it violated users' privacy by collecting personal data from mobile device address books without their knowledge or permission. The settlement also requires Path to establish a "comprehensive privacy program" that will be subject to monitoring for the next 20 years.

Paul said his discovery also underscored the need for Apple to build safeguards into iOS that prevent EXIF—or Exchangeable Image File format—data embedded in photos from being detected by individual apps unless users explicitly approve. Apple added similar fine-grained protections last year preventing apps from accessing contacts, photos, and location data. The changes followed revelations that Path's iOS app uploaded users' entire address books to its servers, a controversy that touched off the FTC investigation resulting in Friday's settlement.